HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
NOTE: All schedule files must be located in /etc/opt/ids/schedules.
Surveillance Schedule Text File
The surveillance schedule text file has two main sections:
• Surveillance Schedule Section: A section that defines global properties of a schedule that are
not specific to any Surveillance Group or Template. There can only be one Surveillance
Schedule section in a surveillance schedule text file.
• Surveillance Group Section: A subsection of the Surveillance Schedule section that defines
properties for a Surveillance Group. There can be one or more Surveillance Group sections
in a Surveillance Schedule section.
NOTE: Template information for the various groups are located in the group files in /etc/
opt/ids/schedules/groups.
WARNING! Schedule text files found on agent hosts in /var/opt/ids/schedule should
not be copied in /etc/opt/ids/schedules on the admin host because the schedule file
in /var/opt/ids/schedule is expanded to contain the template properties, while the
schedule files on the admin host in /etc/opt/ids/schedules are not. The idsadmin
command and GUI will not be able to parse a schedule that is in expanded form.
Surveillance Schedule Section
This section contains the following keywords and syntax:
SCHEDULE <schedule name>
GLOBALS <Schedule Global Properties>
ENDGLOBALS
[SRP]
[NAME <SRP name>]
NAME <Surveillance Group Subsection>
NAME <Surveillance Group Subsection>...
[ENDSRP]
ENDSCHEDULE
This section is surrounded by the SCHEDULE and ENDSCHEDULE keywords and mark the beginning
and end of an HIDS text schedule. The name following the SCHEDULE keyword is the name of the
schedule that is reported by the agent to the System Manager when it is running. The name of the
schedule must consist of an alphanumeric character followed by one or more alphanumeric
characters, an underscore (_), or a hyphen (-). This section contains a global properties subsection
and one or more Surveillance Group subsections. The global properties subsection is bracketed
by the GLOBALS and ENDGLOBALS keywords.
The following global properties are defined within the GLOBALS and ENDGLOBALS keywords :
• aggregation: The aggregation property is an alert aggregation flag that is used to either
enable or disable alert aggregation. The property value is specified using the syntax described
in “Type VII: Flags” (page 112) and is equivalent to the Schedule Manager Alert Aggregation
option box described in “Configuring Alert Aggregation” (page 67). The property set to “1”
is equivalent to the Alert Aggregation option box that is selected in the GUI Schedule Manager.
The property set to "0" is equivalent to the Alert Aggregation option box that is not selected.
• rt_alerts: The rt_alerts property is an alert aggregation flag that is used to enable or
disable the generation of real time alerts when alert aggregation is enabled. The property
value is specified using the syntax described in “Type VII: Flags” (page 112) and is equivalent
to the Schedule Manager Real Time Alerts option box described in “Configuring Alert
Aggregation” (page 67). The property set to “1” is equivalent to the Real Time Alerts option
box being checked. The property set to "0" is equivalent to the Real Time Alerts option box
not being checked.
Surveillance Schedule Text File 193